This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
Wish: Warn about non-secure signup & login (i.e., not HTTPS)
I just discovered that an until-now trusted website does not use secure (HTTPS) pages for signup and login. In the early days of the secure Web, I was diligent about checking for HTTPS URLs. But my security radar has fallen into disrepair because secure pages have become standard operating procedure.
I'm writing to ask 1Password to help me be more aware of website security, e.g., warn me when I'm about to enter a username & password into an HTTP page.
I did a quick check of the 400+ Login entries in my 1Password database -- approximately half of them have HTTP URLs. For example, the insecure half includes my login to the Agile forums.
The importance of secure signup & login depends on the site. It's essential for my credit union, hosting service & Gmail and less important for other sites. So there'd need to be way to disable security warnings for specific sites, either at initial signup or when using 1Password to login.
Update:
After adding this topic, I received assurance from my trusted site that their login IS secure -- the login form on their HTTP page does a post to a secure HTTPS URL.
This means it would be extremely helpful if 1Password could be "looking under the covers" during signup and login.
-- Ward
I'm writing to ask 1Password to help me be more aware of website security, e.g., warn me when I'm about to enter a username & password into an HTTP page.
I did a quick check of the 400+ Login entries in my 1Password database -- approximately half of them have HTTP URLs. For example, the insecure half includes my login to the Agile forums.
The importance of secure signup & login depends on the site. It's essential for my credit union, hosting service & Gmail and less important for other sites. So there'd need to be way to disable security warnings for specific sites, either at initial signup or when using 1Password to login.
Update:
After adding this topic, I received assurance from my trusted site that their login IS secure -- the login form on their HTTP page does a post to a secure HTTPS URL.
This means it would be extremely helpful if 1Password could be "looking under the covers" during signup and login.
-- Ward
Flag
0
Comments
-
Wow. Let me begin by thanking you for pointing this out! I like to think that I am attentive to these things myself, but apparently I need to be more vigilant in this regard: I had no idea that our forum login form isn't a secure page!
I would like to add a little perspective, though, now that I am done freaking out about that. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />
For our forums at least, this likely poses no real threat, as I would hope that neither you nor any of the other great folks around here are sharing sensitive information in your posts or profiles. (For myself and the rest of the team however, this is a bit more of a concern, since someone with a hijacked admin login could do some crazy things...but I digress.)
So to address your wish directly, I have to say that at Agile we try to focus our efforts on 1Password's core functionality -- all the stuff that's really great and unique about 1Password -- and leave the rest to other folks, to do what [i]they[/i] do best. So while we won't rule it out completely, this really isn't something that's likely to happen in the near future.
That's the bad news. The good news is that there are a couple of great Firefox extensions that I think would be perfect for your situation:
[url="http://www.eff.org/https-everywhere"]HTTPS Everywhere[/url] is an awesome, lightweight extension from the (equally awesome) [url="http://eff.org"]Electronic Frontier Foundation[/url] for automatically "rewriting all requests to these sites to HTTPS." They have a growing list of supported sites, and you can manually create new rules as well.
[url="http://noscript.net/"]NoScript[/url] is a much more comprehensive solution for the security-conscious. It has a similar feature to "force the following sites to use secure (HTTPS) connections," as well as its main feature of -- surprise! -- giving you complete control over which scripts you allow sites to run on your computer.
A few years ago having these sorts of tools on Firefox wasn't nearly as useful, but with it being the most popular web browser for some time now, there are few sites that aren't fully compatible. And at this point, NoScript especially is very mature and robust (they're also part of [url="http://donottrack.us/"]the Do Not Track initiative[/url] that has been gaining some traction.) Firefox isn't my most preferred web browser, but version 4 is superb, and I use it often -- if only for things like NoScript and other great extensions that aren't available anywhere else.
So while I am sorry to disappoint you by saying that this may not be something that is in the cards for 1Password, I think it's probably better that we defer to some other great developers out there instead of trying to duplicate their efforts and play catchup. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
P.S: If that is your real beard, I salute you, sir! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/mellow.gif' class='bbc_emoticon' alt=':mellow:' />
[quote name='Ward' timestamp='1303315388' post='25237']
I just discovered that an until-now trusted website does not use secure (HTTPS) pages for signup and login. In the early days of the secure Web, I was diligent about checking for HTTPS URLs. But my security radar has fallen into disrepair because secure pages have become standard operating procedure.
I'm writing to ask 1Password to help me be more aware of website security, e.g., warn me when I'm about to enter a username & password into an HTTP page.
I did a quick check of the 400+ Login entries in my 1Password database -- approximately half of them have HTTP URLs. For example, the insecure half includes my login to the Agile forums.
The importance of secure signup & login depends on the site. It's essential for my credit union, hosting service & Gmail and less important for other sites. So there'd need to be way to disable security warnings for specific sites, either at initial signup or when using 1Password to login.
Update:
After adding this topic, I received assurance from my trusted site that their login IS secure -- the login form on their HTTP page does a post to secure HTTPS URL.
This means it would be extremely helpful if 1Password could be "looking under the covers" during signup and login.
-- Ward
[/quote]Flag 0 -
[quote name='brenty' timestamp='1303370109' post='25290']
So to address your wish directly, I have to say that at Agile we try to focus our efforts on 1Password's core functionality -- all the stuff that's really great and unique about 1Password -- and leave the rest to other folks, to do what [i]they[/i] do best. So while we won't rule it out completely, this really isn't something that's likely to happen in the near future.[/quote]
Just an idea: Perhaps 1Password could just show an icon for logins with HTTPS URIs, much like the little padlock icon browsers use already. Or perhaps it'd be better to show a little warning icon for logins that are [i]not[/i] HTTPS?
It's not as comprehensive as Ward's suggestion (which I wholeheartedly second, by the way!) of proactively checking forms and warning; it'd just be a passive reminder to the user. But that's helpful too and - I suspect - it'd be simple to implement.
I suggested elsewhere that an overall "audit" feature in 1Password would be awesome (i.e. something that looks for iffy logins where passwords or username/password combos have been reused and such), and the addition of checking for HTTPS would be cool in that context too. Along with password-reuse and general password entropy checks, you'd get a pretty quick overview of you "exposure". But that's a wider-ranging thing. Much of the functionality can be duplicated using Smart Folders of course, but having it built in would raise awareness (and it'd just be easier). Plus, even the vigilant users might forget to check for some issues; like Ward, I too had forgotten to check for HTTPS on some of my logins.Flag 0 -
[quote name='flambino' timestamp='1303695684' post='25568']
Just an idea: Perhaps 1Password could just show an icon for logins with HTTPS URIs, much like the little padlock icon browsers use already. Or perhaps it'd be better to show a little warning icon for logins that are [i]not[/i] HTTPS?
[/quote]
I like the way you think. It would certainly be helpful in some situations to be able to see that at a glance. Something to consider, though: Websites change all the time and can pretty much do whatever they want regardless of the URL you request. This, of course, can account for probably 90% of 1Password login issues: The sites are doing something differently than when the Login item was first saved. So 1Password telling you that a particular Login is secure means nothing, essentially, when the site can just redirect you to an insecure page. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/dry.gif' class='bbc_emoticon' alt='<_<' />
I was all set to suggest Smart Folders, but you beat me to the punch there...and then made a brilliant point:
[quote]but having it built in would raise awareness (and it'd just be easier).[/quote]
I think it's easy to dismiss some suggestions as being impractical or frivolous, and forget that not everyone is equally vigilant/paranoid -- and not necessarily when it matters either. Awareness is huge for casual users, and, as you point out, power users could use a kick in the pants too from time to time. Thank you for raising this issue, and, by extension, raising [i]my[/i] awareness that [i]awareness itself[/i] is a noble pursuit! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
[sup](Try saying that ten times fast!)[/sup]Flag 0 -
[quote name='brenty' timestamp='1303700741' post='25575']
Something to consider, though: Websites change all the time and can pretty much do whatever they want regardless of the URL you request. [...] So 1Password telling you that a particular Login is secure means nothing, essentially, when the site can just redirect you to an insecure page. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/dry.gif' class='bbc_emoticon' alt='<_<' />
[/quote]
True. Hadn't considered that. In some ways it's probably better to [i]not[/i] have an icon at all then. False sense of security is (almost) worse than bad security.
Or rather, the half-way solution of just checking the URL isn't good enough - you'd have to do what Ward suggested and check both login page and the URL the forms posts too. Go big or don't go at all <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
[quote name='brenty' timestamp='1303700741' post='25575']
you beat me to the punch there...and then made a brilliant point
[/quote]
Yeah... I do that a lot <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='B)' />
[quote name='brenty' timestamp='1303700741' post='25575']
Awareness is huge for casual users, and, as you point out, power users could use a kick in the pants too from time to time. Thank you for raising this issue, and, by extension, raising [i]my[/i] awareness that [i]awareness itself[/i] is a noble pursuit! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
[/quote]
You're quite welcome <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
Things like icons or other callouts can do a lot, even if you don't understand their meaning at first. Just the fact that some items in a collection get called out while others don't sets the mind working on [i]why[/i] that is, what it could mean, and so forth. And, in the context of security, whether the callout is a good or bad thing. Games are actually really good doing this sort of "teaching", since the player needs to be taught what to do and what's going on, but the game can't directly give it away either. Obviously, something that isn't a game [i]can[/i] just explain what's going on, but it can be become a crutch too. The documentation should still explain it of course, but few people want to be explicitly taught and told what's good for them. Saying RTFM doens't really work <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
For myself, I created tons of smart folders in 1Password for things like reused passwords, non-HTTPS logins and of course different levels of password strength. My "game" then became to get all the "bad" folders down to zero items. (I could do the same with the default "Unfiled" folder, but I use tags and Smart Folders for almost everything and bypass the normal folder system). Had 1Password come with a built-in Smart Folder or similar that listed all the "bad" logins you have, I suspect many people would make it their "game" to understand what the selection criteria for the folder are and how to get it emptied. That'd raise awareness and teach people without trying to sit them down and explain things. Especially if the folder's name and/or icon clearly communicated that "here be bad stuff" <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
As you say, it may seem frivolous or even "cheap", but when done right it can mean a lot. And it'll always be more subtle and less frivolous than saying RTFM <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />Flag 0 -
[quote]1Password telling you that a particular Login is secure means nothing, essentially, when the site can just redirect you to an insecure page.[/quote]
I think this is the primary reason it would not be advantageous to add this feature, but there may be another way to do it. I like the way you describe it as a game, flambino. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
The trick would be determining what constituted a "bad" or somehow "less secure" login. http vs https is out, and password strength can often not be changed for some logins. For example, I have some passwords saved for logins which are shared with other people. It is not up to me to change them. I have the technical authority but not sociopolitical. Those ones would drive me crazy in that theoretical Smart Folder. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' />Flag 0 -
[quote name='khad' timestamp='1303708462' post='25582']
The trick would be determining what constituted a "bad" or somehow "less secure" login. http vs https is out, and password strength can often not be changed for some logins. For example, I have some passwords saved for logins which are shared with other people. It is not up to me to change them. I have the technical authority but not sociopolitical. Those ones would drive me crazy in that theoretical Smart Folder. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' />
[/quote]
Yeah, that'd drive me crazy too, now that you mention it. I hate lacking sociopolitical authority! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/dry.gif' class='bbc_emoticon' alt='<_<' />
I have some shared logins as well, so they're still in the folders I'd like to be empty. Since I've set the criteria for the folder myself, I understand why they're there, and I can tweak the criteria to remove them. It'd likely be much more annoying if I hadn't created the folder myself, and couldn't empty it either.
I suppose the folder could be shown/hidden via a preference item, but that's not very elegant. Alternatively, there could be a "yes, I'm aware this login isn't the greatest, but stop bugging me!" flag to let you get stuff out of the folder without really changing anything. That's not very neat either, but it's not too far removed from the "save master password in keychain" warning you already get on OS X. Yes, you can do that, but understand the consequences, etc.
Or there could simply be a way to exclude items tagged with [i]xyz[/i] from the folder.
Perhaps it's better for it to be a separate function you could run on demand, and which would list the "issues" it finds. Smart folders would of course update automagically and all that, but you'd also always have them there, annoying you with their item counts. Meanwhile the "find issues" function (which should be called something better) would only show you something when you ask for it, but just having it there would still raise awareness and hopefully encourage usage. Even if you have your own little "game" already.Flag 0 -
[quote]Perhaps it's better for it to be a separate function you could run on demand, and which would list the "issues" it finds.[/quote]
I like that idea. A sort of "Password Audit Assistant" or something. I think that would be a good balance between being "in your face" and too hands-off. That is to say, my mom and dad could run the assistant, but they would not be staring at some Smart Folders so much that they end up just ignoring them anyway. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />
I like that game much better.
In the meantime, since the feature does not yet exist in 1Password, we power users will continue to handcraft our Smart Folders and educate our moms and dads. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_bigsmile.png' class='bbc_emoticon' alt=':-D' />Flag 0 -
[quote name='khad' timestamp='1303710949' post='25584']
That is to say, my mom and dad could run the assistant, but they would not be staring at some Smart Folders so much that they end up just ignoring them anyway. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />
[/quote]
Very true. I'm already ignoring the "Unfiled" folder.
It's probably pretty crucial that you've created the folder system (or run the theoretical function) yourself. Otherwise you're just not that invested in it.
[quote name='khad' timestamp='1303710949' post='25584']
In the meantime, since the feature does not yet exist in 1Password, we power users will continue to handcraft our Smart Folders and educate our moms and dads. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_bigsmile.png' class='bbc_emoticon' alt=':-D' />
[/quote]
Doin' my best already <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />Flag 0 -
[quote]Very true. I'm already ignoring the "Unfiled" folder.[/quote]
The "Unfiled" Smart Folder has actually been removed in the beta channel and folder search criteria has been added in order to allow folks to recreate the folder — or, better yet, a personalized variation of it — for some of the exact reasons outlined above. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />Flag 0 -
I've created a new login in 1Password for a website, specifically a Wordpress site. I normally only login to the administration console using https so I created the login using the URL of https://blog.foo.com. This is the only login for the site recorded in 1Password.
I found that when I navigate to the site using http I am still allowed through the "Fill & Submit" feature for Safari to fill in my username and password even though it's not over https. Is there a way to control this through 1Password? I did a few searches but wasn't able to find anything regarding this.
What I'd like is for 1Password "Fill & Submit" to not show a possible match to the http URL of the site since I created the login entry specifically using https.
Thanks for any help or pointers.
JoshFlag 0 -
Hey Josh,
Thanks for your interest in this. I have merged your post with the appropriate thread. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
Is there a reason you would not always use a secure connection?
Please do read through the thread above and let me know if you have any additional questions or concerns.
We are always here to help!Flag 0 -
[quote name='khad' timestamp='1305933931' post='27471']
Hey Josh,
Thanks for your interest in this. I have merged your post with the appropriate thread. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
Is there a reason you would not always use a secure connection?
Please do read through the thread above and let me know if you have any additional questions or concerns.
We are always here to help!
[/quote]
Thanks for merging my question to this thread. Though I read the thread fully I may be missing a few things so apologies if I'm being repetitive.
There's definitely no reason for me to not use a secure connection all the time. However many sites are hosted using both http and https. Hence the reason I created the 1Password login entry with https specifically. I was hoping that if I accidentally connected to the site using http instead of https that 1Password would not show the "Fill & Submit" for that login since the protocol does not match the one I created the login for.
Normally I connect to sites using "Go & Fill" however sometimes I don't. If I use "Go & Fill" I know I will always go to the specific site, including protocol, that I want to get to. Unfortunately I don't always use that particular method since it pops open a new window when I have a perfectly good one in front of me that's already at the site I want to log into.
I guess ultimately what I am hoping for is that since I specifically created a login in 1Password using https it would recognize that I am trying to be more secure and not match those credentials to non-https sites when presenting options for "Fill & Submit". I do however recognize this would add a lot of confusion to general users who may not understand this difference. What about a checkbox option in the login that I create for 1Password that says "Restrict to specific protocol" or "Restrict to https"? This would put the burden on me and other users rather than making a generic or blanket change that would affect everyone. I understand that behind the scenes the site I'm connecting to can throw around my credentials as much as it likes using secure or insecure means but that's simply something out of my or your control. I'm not asking for 1Password to read into the sites or validate them as secure. I only want to make sure that the URL I connect to is the one that I expected to connect to.
EIther way, it sounds like I have a workaround to my problem by using HTTPS Everywhere or No Script to keep me on the straight and narrow. If my suggestion above makes any sense, cool. If not then, Doh!
I appreciate the help and the pointers.Flag 0 -
Thanks for the clarification. I should also clarify that I have passed this along to the developers for consideration in a future version.
It is a bit tricky for 1Password to monitor the security of your connection, since, as Ward mentions in his update to the original post, some sites are using a mix of secure and insecure elements. This is perhaps best analyzed on the level of the browser which has greater access and control over this sort of information. It would be easy for 1Password to simply look for https in the URL, but that wouldn't be proof that the form on the page was using a secure connection when you submit it. We tend to avoid features which only [i]appear[/i] secure on the surface but are nothing more than "security theater."
I think the browser is much better positioned to give you the sort of feedback and guidance you are requesting in this particular case, but we never say "never." <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
Cheers,Flag 0